Hacking tool guidance finally appears

When civil servants talk about “spring” they mean before Parliament rises in July and by “the summer” they usually mean “before the party conference season” in September. But it seems that when a minister tells a Lords Committee “the end of the summer” they mean the last day of December. Well it has been pretty cold recently, so I expect that concentrated their minds!

This “summer” event which can be reported today, is the publication of the Crown Prosecution Service guidance on what should be considered before bringing prosecutions under s3A of the Computer Misuse Act, when amendments to it come into force — probably April 2008 (for reasons that I discussed last July).

What is at issue is so-called hacking tools, and the problem arises because almost every hacking tool you can think of from perl to nmap is dual use — the good guys use it for good purposes, and the bad guys use it for bad. The bad guys are of course committing an offence, and the good guys are not … but the complexity surrounds “distribution”, if a good guy runs a website and a lot of bad people download the tool from it, has the good guy committed an offence?

The actual wording of the offence says "supply or offer to supply, believing that it is likely to be used to commit, or to assist in the commission of [a Computer Misuse Act s1/s3 offence]" and so we need to know what "believing that it is likely" might mean. Whilst the law was going through Parliament the Home Office suggested that “likely” would be a 50% test, and they promised to publish the guidance to prosecutors so we’d all know where we stood.

Anyway, that guidance is now out — and there’s no mention, surprise, surprise, of “50%”. Instead, the tests that the CPS will apply are:

Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)?

Is the article available on a wide scale commercial basis and sold through legitimate channels?

Is the article widely used for legitimate purposes?

Does it have a substantial installation base?

What was the context in which the article was used to commit the offence compared with its original intended purpose?

which after a good start using words like “primarily” and “deliberately” (which would have been a sensible law to have in the first place) then goes a bit downhill in that prosecutors don’t know the difference between “i.e” and “e.g.” and seem to think that software is generally sold (!), and rather misses the point of dual use by talking about using the tool in a different “context”.

Still, the “installed base” test should at least allow people to distribute perl without qualms (millions of users) — though do note that these are the tests which will be applied at the “deciding if you ought to be charged with an offence” stage, not the points of law and interpretation that the court will use in deciding your guilt.

in other words, penetration testing training courses, or events like the Black Hat conference are going to be illegal within UK. Or else, how can you assure that such events are widely used for legitimate purposes? Participants may either be legitimate information security professionals and academics or malicious hackers looking for new techniques. Or am I missing something?

The Crown Prosecution Service guidance PDF includes the following, which I think provides some reassurance:

“Prosecutors should be aware that there is a legitimate industry concerned with the security of computer systems that generates ‘articles’ (this includes any program or data held in electronic form) to test and/or audit hardware and software. Some articles will therefore have a dual use6 and prosecutors need to ascertain that the suspect has a criminal intent.”

But the following test is just mindbogglingly stupid, given the widespread use of Open Source:

“Is the article available on a wide scale commercial basis and sold through legitimate channels?”

If you read the full advice you’ll see that a Black Hat style conference might be very well advised to include a session on the requirements of the Computer Misuse Act — and to request that attendees sign a document saying that they will not contravene it.

Figleaf maybe, but training hasn’t been made illegal, it’s just that the Home Office wanted some charges they could use against peripheral players in an eCrime conspiracy and that meant wording that was far too broad for most everyone else’s taste (not that very much eCrime gets prosecuted at all — but that’s a different story).

What about the overlap with
Identity Cards Act 2006 section 29 Tampering with the Register etc., which is also intended to cover Denial of Service attacks against the National Identity Register infrastructure, but which is worded so badly that it also covers all the the other Government departments and private sector companies who will be connected to it in some way i.e. most of them, according to the Home Office fantasies.

I would hope that the fact it (BT) has a widespread “installbase” or at least “userbase” would be enough to consider it legitimate.

RE: “supply or offer to supply, believing that it is likely to be used to commit, or to assist in the commission of [a Computer Misuse Act s1/s3 offence]”
Again, surely a disclaimer stating legal compliance/requirement would suffice here?
If someone “accepts” a t&c prohibiting illegal/illicit usage, prior to download, then the supplier cannot be considered to be “knowingly” supplying software explicitly for illegal use?
This should put the ball firmly in the court of the “wrong doer” and not the original author/supplier??

I wonder if this is going to be more fud than content?…..

I would like to think that what they are actually intending to target are authors of minority “malicious” tools such as malware/virus/worm/trojan, when and only when it can be proven that “ownership and usage” was intended solely for illegal purposes all along…..

As usual, the issues will arise around the interpretation of the precise wording used, and we all know how extremely inadequate or vague the wording used can often be.

Also what is the definition of “widely used”, again a grey area with no clear definition. Again its criminalising legitimate use, yo can guarantee that some poor security consultant will get dragged through the courts for no reason other than an over zealous CPS lawyer

The problem is – the document is simply guidance to the CPS on the circumstances in whch a prosecution should be brought. But each prosecutor makes up his/her own mind. Once the charges have been laid, the test for guilt will not be the CPS Guidance but how a trial judge interprets the wording of the statute when he instructs the jury about the law.

If you write or sign any document at a conference or training course etc stating that you are aware of the new Computer Misuse Act offences, and promise not to commit them, or you accept similar wording via some sort of click through licence small print when using some “dual use” program or data, then you cannot claim that you did not believe that it could be misused to commit or to assist in the commission of an offence.

You cannot magically exclude yourself or your company from criminal liability through the small print of a civil contract or licence agreement, unless you are the Crown i.e. the Government. or there is a specific statutory exemption in some other Act of Parliament.

So it has to be *both* mostly *and also* solely for criminal purposes?

While in theory I’m reassured that – if followed to the letter – the guidelines imply that the law will never be used since it would require a logical contradiction to be possible before charges would be brought, I suspect in practice this just means that a poorly-worded, overly-broad, self-inconsistent, ill-thought-out and incorrectly-drafted law is now going to be interpreted according to a set of poorly-worded, overly-broad, self-inconsistent, ill-thought-out and incorrectly-drafted guidelines.

So does me funding development of tools like Backtrack or Phlak push me into a grey area considering of the departments I work with and projects I touch in Government ? Not like I’ve not been distributing security tools and technologies for too many years than I care to think about.

A blog article I think is due this evening feel free to comment as per before.

Security in the UK is going to plummet, we are already a laughing stock over how the government keeps losing all the data files.

How exactly are we going to secure systems if we cannot test, the integrity of them?

I can see our angle, I develop code, so if I cannot ensure security to a certain degree, when it does get cracked, I suppose there is some money in applying the patch retrospectively, but it does not feel particularly ethical. I suppose I could sit down and develop a load of testing tools which I kept under lock and key, but I would want the big companies to be at the same disadvantage thank you very much.

The next step though is to cordon the net. Most of the attacks originate from other countries, so what we do is block IP ranges, but we cannot do that with home machines at the moment, and look at what business would lose, no foreign business.

They could build the great firewall of Britain, but who would test it :). Breaking net connection from the rest of the world is the logical conclusion to this legislation. Seems pretty daft to me, but Germany is a few months ahead with this style legislation so should be interesting to see what has been happening over there, whilst we still can :).

Most security consultants will probably move to another country if this takes hold, would seem wise if you are interested in the security aspect of IT. But, that is a lot of good thinkers, and woe betide us if cyber warfare becomes a reality, we would have no defense. Think of WWII, would Bletchley Park have existed with legislation like this, I rather doubt it, and cracking enigma played a large part in bringing the war to a close.

The way the legislation is worded does seem like it would have a hard time in court, and really how does it benefit business. UK organizations need to deal with worldwide threats in IT, the threat from a UK citizen is substantially smaller than the threat from a cracker on foreign soil. Most crackers are not going to attack machines in their own countries, the risk of getting caught is higher.

Using this guidance, on balance, the NHS IT system is currently a hacking tool.

Q. Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)?
A. No (so it’s not not a hacking tool)
Q. Is the article available on a wide scale commercial basis and sold through legitimate channels?
A. Not at present (so it’s a hacking tool)
Q. Is the article widely used for legitimate purposes?
A. Not at present (so it’s a hacking tool)
Q Does it have a substantial installation base?
A. Not at present (so it’s a hacking tool)
Q. What was the context in which the article was used to commit the offence compared with its original intended purpose?
A. It was clearly not intended to be secure (so it’s a hacking tool)

Quite the opposite, in a very obvious way, since there are probably thousands of commercial organisations selling and distributing open source software. Whether you paid doesn’t stop them being commercial organisations – nor will it matter if you got it from somewhere else – it doesn’t say “…bought it in PC World”

For the less obvious way, I wouldn’t necessarily read the words literally. Y’know just as open source folks probably realise that “free” doesn’t necessary mean you didn’t pay for it, commercial activity here might well include some of the more hippy friendly / charity / npo style organisations. Check your legal definitions here though for what classes as “commercial”, IANAL.

Secondly, the 50% text seems particularly bizarre. How does one hope to measure this? Do you have to issue warrants for every website that hosts a tool for their logs? How is practical if there are dozens or hundreds of such site around the world.

I also wonder how baseball bats score on that metric? Britain has a few real baseball teams, but very few (we have other sports such as cricket). If more than 50% of baseball bats are bought by anti-social yobs, does that mean that we punish true baseball teams by removing the tools they need to play?

I can see your points Richard but the sad fact of life is that until this stuff gets tested in court (and a successful conviction appears) everything else is just speculation. To put it into perspective the charges associated with being caught carrying a crowbar around a residential neighbourhood are brought about based upon the ability to get a conviction based largely upon precedent. Until that precedent appears it’ll be all over the shop no matter what.That’s why we took our downloads page down last year (not that it was that big at the time anyhow). Until we see a) precedent and b) clear or at least slightly less murky guidance from an authority such as the police, home office, cesg or cpni on what’s reasonable I doubt it’ll return, even though we have volumes of tools, papers and bits and pieces that could help HMG secure their own infrastructure applications and data.

The point of having the CPS guidance was to dampen the speculation, but since it has limitations, I agree that further clarity is likely to await a test case (as I hinted at in my post). Although the Home Office could assist, or indeed the CPS could have a second go at it, I don’t see a role for the CPNI or CESG here.

By the way, the crowbar offence (usually called “going equipped”) isn’t based on precedent, but on s25(1) of the Theft Act 1968.

having a brief read of the “not yet inforced” ammendments a couple of questions came to mind, firstly it seems to be a England and Wales act only, is this the case?

secondly, I notice specific reference to a case where it was decided that software held in america was still illegal if downloaded in england or wales (once again no mention of Scotland), and such sites were under the jurisdicion of english law. Does this mean that I can just pop over the border and leagally download software?

It’s “not yet in force” rather than “not yet enforced” ! Also, although you are correct to note that that Computer Misuse is a devolved matter, in fact the Scottish Parliament passed a Sewel Motion so that in practice the identical wording will apply in Scotland as well.

As to downloading software in another jurisdiction — which is not much to do with the topic of this article — you would need to obey the law in the country you were in; some laws apply to British citizens even when they are abroad; and you would need to comply with customs requirements when you returned. So you would need some good advice — and I caution you that IANAL!

Having spent quite a bit of yesterday and today discussing this guidance with the CPS (who were actually quite helpful up to certain understandable limits), I have pretty much concluded that: [a] it is a preliminary document that will be revised in the light of judicial proceedings once the revisions come into force, and [b] the guidance (and indeed the wording) do not have binding legal significance – i.e. is indeed merely guidance. I have written up my exchanges with the CPS in case anyone is interested. Although I have concerns both about the concept of “likelihood” and vicarious culpability in general, I am not more deeply worried by this guidance than I was already about the “supply” amendment in general.

The actual wording of the offence says “supply or offer to supply, believing that it is likely to be used to commit, or to assist in the commission of [a Computer Misuse Act s1/s3 offence]”

I don’t need to know the meaning of believe. If I distribute etc satan, crack, cops, nmap I am 100% certain that they will be used by the bad guys. The same applies to Perl and Python or any new tools that I can come up with.

And there is no way that I can rely on CPS guidelines as these can change whenever they chose.

If I, as a software engineer, write something that the powers that be, dislike this act can be used to stop me with even the threat of prosecution.

And with out case law to narrow it, I am prima facie guilty.

This is very bad law that is capable of being abused. With kitchen knives which are similarly capable of duel use we do not regulate against making or distribution but purely about there use. Why should software be any different?

#!/bin/sh
echo This is an illegal program to DoS stuff
echo Only works against dial-up devices.
ping $*

The webserver is now distributing software that fails the tests:

1) the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (DoS)
2) the article is not available on a wide scale commercial basis and sold through legitimate channels.
3) The article is not widely used for legitimate purposes.
4) It does not have a substantial installation base.
5) It is in the context and used to commit the offence in line with its original intended purpose.

Oh dear.

Looks like we’re in line for a lot of ‘expert witness’ payments defending poor saps that get harassed by stupid prosecutors….

Primarily with reference to Ian and Dom’s comments (30,31), there is of course no way to protect the stupid from the effects of their own stupidity. If you voluntarily declare unlawful intent or wilfully commit a recognised offence you deserve whatever gets thrown at you.

But I don’t think this is the real issue. As has rightly (and several times) been pointed out here, the real problem is the case where a “dual purpose” tool is supplied in good faith for what appears prima facie to be a lawful purpose and is subsequently used unlawfully – a situation over which the supplier has no direct control. I suspect that established principles wrt negligence will be brought to bear in assessing individual cases. However it may prove expedient to restrict distribution – e.g. not just post tools on the open web but require some kind of registration process before they can be obtained – and to include a EULA containing a “lawful use” clause in the package. Maybe these would be good moves anyway – in any case they are not onerous to implement and could hurt no-one.

It is easy to panic when guidance (and indeed legislation) such as this is put in place, and I myself argued against the supply clause from the start, but in the real world the CPS is very unlikely to suddenly reach out and prosecute thousands of responsible researchers. Neither have the CPS the remit or the resources to trawl the web looking for “suppliers” to prosecute. Some of those who indiscriminately distribute proof of concept code for unpatched vulnerabilities may fall into the net, depending on the perceived resultant exposure. And maybe that’s a good thing.

I assume that most any software downloaded was done so via a browser, at the very least found via a search engine. Would this make the browser supplier liable? Firefox has many plugins available that can be used for dual purpose. Does knowing of or allowing the functionality of the plugins make them liable.

With Section 3A(2) it really is a sad day for the open source, free tools community and academic research.

So I write a new improved vulnerability scanner. Can I circulate it around bugtraq for peer review? I doubt it! While I know it will be used responsibly by many people I also know that it will be used by some Bad Guys to find systems they can hack into.

The problem is how to avoid “believing that it is likely to be used to commit an offence”. If we create a tool and circulate it openly it *will* be picked up by someone and used to do bad things. Only the very naive could fail to believe that an openly distributed tool will not be used by the Bad Guys.

In the CPS guidance we see: “what, if any, thought the suspect gave to who would use it; whether for example the article was circulated to a closed and vetted list of IT security professionals or was posted openly”. This seems to imply that posting a tool openly risks a charge under Section 3A.

The outcome seems to be a prohibition on amateurs creating security tools. If you write a tool you will need an infrastructure to control its distribution. Even small outfits will find the administration an impossible burden. Any cottage industry in security tools will have to move off-shore. Will universities want the effort of controlling distribution? Would the University of Oulu shy away from publishing the results of their secure programming research?

What about such people who hold Certifications like Certified Ethical Hacker, who are given copies of tools *which some of them are illegal under these plans” during the training and are required to sign disclaimers and such.
Are we going to get locked up for owning these tools which I would use to check my system(s) are secure by using the same tactics as Black Hats to ensure that no obvious holes exist.

If you read the full advice you’ll see that a Black Hat style conference might be very well advised to include a session on the requirements of the Computer Misuse Act — and to request that attendees sign a document saying that they will not contravene it.

Figleaf maybe, but training hasn’t been made illegal, it’s just that the Home Office wanted some charges they could use against peripheral players in an eCrime conspiracy and that meant wording that was far too broad for most everyone else’s taste (not that very much eCrime gets prosecuted at all — but that’s a different story).